From owner-freebsd-questions@FreeBSD.ORG  Mon Aug 11 17:28:42 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 394EE37B401
	for <freebsd-questions@freebsd.org>;
	Mon, 11 Aug 2003 17:28:42 -0700 (PDT)
Received: from asarian-host.net (mail.asarian-host.net [194.109.160.70])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E6B0E43F3F
	for <freebsd-questions@freebsd.org>;
	Mon, 11 Aug 2003 17:28:40 -0700 (PDT)
	(envelope-from admin@asarian-host.net)
Comments: To protect the identity of the sender, certain header
	fields are either not shown, or masked. Anonymous email
	accounts can be requested by filling in the appropriate
	form at: https://asarian-host.net/cgi-bin/signup.cgi
Received: (from root@localhost)
	by mail.asarian-host.net (8.12.9/8.12.9) id h7C0Seno058369
	for freebsd-questions@freebsd.org;
	Tue, 12 Aug 2003 02:28:40 +0200 (CEST)
	(envelope-from admin@asarian-host.net)
From: Mark <admin@asarian-host.net>
Message-Id: <200308120028.H7C0SDXS058360@asarian-host.net>
Date: Tue, 12 Aug 2003 00:28:40 GMT
X-Authenticated-Sender: admin@asarian-host.net
X-Trace: yiQoq/5ztHANP6qHcWHNkjUGlNXLUFr0/mqyo5nmzjBilueeyedGK1bucRgt33wg56hGYOjVMNYw+SwODavlSg==
X-Complaints-To: abuse@asarian-host.net
X-Abuse-Info: Please be sure to forward a copy of ALL headers
X-Abuse-Info: Otherwise we are unable to process your complaint
Organization: Asarian-host
To: <freebsd-questions@freebsd.org>
References: <200308120023.H7C0MXXS058110@asarian-host.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Auth: Asarian-host PGP signature
	iQEVAwUAPzg0uDFqW1BleBN9AQGR/gf/QHEu8/7u2d/czrffWDRgLpoDr2J6zD/I
	UJwcyzBqOPW3LVq9zK2GgScrIeF6KpIyowkvV/t6ITeEypTm1UdPLKK7QaCMQ0Z0
	tvMiS6Y/CxC+KEgWbgSp/FDRmsYf7+5EEJsQKRXOh2jVwIAP/WE4YhYvzZBlKNHZ
	s50UeK91cEg+p5YMdQmVWUO+RT7/yLskXU6dPocW7Nbts/+O/4l752anlakrguHf
	flb+XkWRM8+Kw0rLZGAFwPvv92E8RCgCwRHCt2FKaD2ybPg9vU6ryVMA7QuyHRZ/
	W1C583RIMJJLKP5N9JrtFe8HC4Q46Qs4Kfq1wH4jANWZK0J4GJyjEg==
	=wYRG
Subject: Re: Restricting ICMP
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Aug 2003 00:28:42 -0000

----- Original Message ----- 
From: "Mark" <admin@asarian-host.net>
To: <freebsd-questions@freebsd.org>
Sent: Tuesday, August 12, 2003 2:23 AM
Subject: Restricting ICMP


> Hello,
>
> Is there a way I can use ipfw to disallow ICMP from anyone, but
> root? (FreeBSD 4.7R) I tried this:
>
> ${fwcmd} -q add 4 allow icmp from any to any icmptype 0,3,8,11 in
> via ${outside}
> ${fwcmd} -q add 4 allow icmp from any to any uid root
> ${fwcmd} -q add 4 deny log icmp from any to any
>
> But that, obviously, does not do what I want it to, as it keeps
> denying everything going out. It may not even be possible to
> restrict ICMP that way, but it never hurts to ask. :)

Sorry for the addendum; but I was not entirely clear. I want to restrict
*outgoing* ICMP (traceroute and such) to anyone, but root.

- Mark